Allow StaticFiles follow symlinks

encode · Jun 10, 2022 · df92e65 · df92e65
1 parent ccd486e
commit df92e65
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/starlette/staticfiles.py b/starlette/staticfiles.py
@@ -161,7 +161,7 @@ def lookup_path(
         self, path: str
     ) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
         for directory in self.all_directories:
-            full_path = os.path.realpath(os.path.join(directory, path))
+            full_path = os.path.abspath(os.path.join(directory, path))
             directory = os.path.realpath(directory)
             if os.path.commonprefix([full_path, directory]) != directory:
                 # Don't allow misbehaving clients to break out of the static files

diff --git a/tests/test_staticfiles.py b/tests/test_staticfiles.py
@@ -441,3 +441,26 @@ def mock_timeout(*args, **kwargs):
     response = client.get("/example.txt")
     assert response.status_code == 500
     assert response.text == "Internal Server Error"
+
+
+def test_staticfiles_follows_symlinks(tmpdir, test_client_factory):
+    statics_path = os.path.join(tmpdir, "statics")
+    os.mkdir(statics_path)
+
+    symlink_path = os.path.join(tmpdir, "symlink")
+    os.mkdir(symlink_path)
+
+    symlink_file_path = os.path.join(symlink_path, "index.html")
+    with open(symlink_file_path, "w") as file:
+        file.write("<h1>Hello</h1>")
+
+    statics_file_path = os.path.join(statics_path, "index.html")
+    os.symlink(symlink_file_path, statics_file_path)
+
+    app = StaticFiles(directory=statics_path)
+    client = test_client_factory(app)
+
+    response = client.get("/index.html")
+    assert response.url == "http://testserver/index.html"
+    assert response.status_code == 200
+    assert response.text == "<h1>Hello</h1>"